Here are my steps:
-
I have a command-line application which authenticates against the /api/v1/authn endpoint (and performs the 2FA challenge), and gets a state token.
-
Then I use the state token to get a session via the /login/sessionCookieRedirect endpoint, as described here: https://developer.okta.com/docs/guides/session-cookie/overview/#retrieving-a-session-cookie-by-visiting-a-session-redirect-link
Curiously, I get a 200 response (not a 302, as described in the doc referenced above). However, I also get a session returned as a cookie in that 200 response (“sid=…”).
- Using the session token (as a cookie) from above, I call the /api/v1/sessions/me endpoint to get metadata about the session (expiration, etc). However, with some users, this call fails with the following error message:
{“errorCode”:“E0000007”,“errorSummary”:“Not found: Resource not found: me (Session)”,“errorLink”:“E0000007”,“errorId”:“oae8vk4wHDDTbSr7YgkNtXVAA”,“errorCauses”:}
With other users, this session seems valid and I can get along with the rest of my application logic.
My question is, how can a session created in Step 2 be immediately invalid in Step 3?